Why I Pulled Out Of The RSA Conference

[EDITOR'S NOTE: The opinions expressed in this Commentary are those of the author and do not reflect the position of InformationWeek or its parent company, UBM LLC.]

In early November, I was pleased to announce (via my Twitter feed, @dak3) that one of my proposals had been accepted for a presentation at the RSA Security Conference in San Francisco in February. I was very pleased, because this was my first acceptance (in three tries), and I know how hard it is to garner a spot on the agenda. Some years ago, I was the sole referee for the conference's identity management track. I reviewed more than 1,000 proposals, which I had to whittle down to 25, so that the event organizers could pick five that would actually make the agenda.

So it was with great reluctance that I've canceled my presentation in light of unsettling news reports about RSA's involvement with the US National Security Agency. Just before Christmas, Reuters published a story based on revelations from the papers and documents stolen by former NSA contractor Edward Snowden. "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry."

The story cited a New York Times story that said the Snowden documents "show that the NSA created and promulgated a flawed formula for generating random numbers to create a 'back door' in encryption products." The flawed random number-generating algorithm, Dual Elliptic Curve, was reportedly installed as the default choice for RSA's BSafe package, a tool for developers to add encryption techniques to their products.

After the Reuters story, RSA, a unit of EMC, said in a blog post: "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." I believe RSA. That's what really troubles me.

It troubles me because RSA did introduce a backdoor, though unknowingly, and made it the default choice. Security experts who have examined RSA's software package have confirmed that fact. RSA's statement doesn't deny taking $10 million from the NSA. It would appear that the NSA offered to sign a $10 million licensing contract -- provided, according to the Reuters report, that RSA made Dual Elliptic Curve the default. The Reuters report maintains that the NSA then used the evidence that RSA had chosen the algorithm to convince the National Institute of Standards and Technology to adopt it as the default method of random number generation.

This was a business decision, not a technology decision. If the Reuters story is true -- and RSA hasn't denied the crux of its allegations -- the security of RSA's customers and its customers' customers was put at risk for monetary gain. (When contacted via email, an EMC spokesman declined to respond to questions about the nature of the NSA's $10 million payment to RSA, or to a request for the company's reaction to threatened conference boycotts. More on the boycotts later.)

Even more telling for me was the widely reported compromise of RSA's SecureID hardware token in 2011. The company was compromised by a phishing attack, which led to a data breach in which the root keys of the SecureID algorithms were taken. This event led to attempted breaches (which may or may not have been successful) at US defense contractors such as Lockheed Martin, L3 Communications, and Northrop Grumman.

That a security vendor could so easily have its security breached is, at best, unfortunate. But taken alongside this latest set of allegations, it's too much to ask me to swallow.

I haven't been a fan of RSA since EMC took over (and pushed EMC execs into the management of all RSA divisions) and the people who had been the heart and soul of RSA began to leave. When the SecurID breach occurred, I urged readers to find another security partner. This latest revelation has led me not only to pull out of next month's RSA Conference, but also to stop supporting the purchase of RSA products. I leave that decision to you.

Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will. Security is hard enough without having to worry that our suppliers -- either knowingly or unknowingly -- have aided those who wish to subvert our security measures.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity management to a generation of technologists.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability (free registration required).

As you say, Stratustician, it is indeed rare that business organizations take a moral stance on how they contact business. But even though advocates of greater transparency in NSA security & privacy policy say it's not enough, the public outcry has moved the needle -- albeit microscopically - with President Obama's announcement last Friday of five changes in the US surveillance policy. One thing that is certain, as long the public pressure continue, so will the public debate.

I honestly wish it was a valid way of business, but sadly the reality is that organizations only care about the bottom line often. From a security perspective, many organizations will argue "They've worked for us until now" as we saw evidenced by the lack of real market change after their breach. I'd love to think we will see companies take more moral stances about who they conduct business with, but sadly I don't see this becoming the norm.

@Stratustician That's a great question that is worthy of repeating. It would be great to get a discussing going about the realities of taking a moral position about a product based on a vendor business decision. Is this even possible?

I applaud your moral stance to defend the principal behind data security, that it actually protects data from unauthorized access. When the RSA breach in 2011 happened, it should have sent lots of warning flags and yet I still see those tokens everywhere. Its as if the industry say "Meh, we'll get over it". I wonder what it will take for people to seriously consider what the NSA implications mean from an industry perspective when it comes to security solutions.

Has anyone actually started to migrate off RSA and onto another solution? What are you considering to move to and why?

I imagine there is probably some gag order imposed by the NSA on RSA about disclosing what was in the contract but I'm not not aware of any legislation that would prohibit officials of a private company from defending itself against such such serious and public accusations... (That's what lawyers, PR firm and spin doctors are for). Whether that would shed any light on the situation is another questions...

I can't speak for the others, and I know it's probably too late for those who've made their plans already to be able to back out without financial hardship, but for me it's enough that the dialog keeps going. Vendors have to learn to take their customers' security as their top priority. After all, if they aren't secure why should we believe their products are?

Kudos for taking a stand against unwarranted surveillance and standing up for civil liberties. Perhaps if industry loses enough big name players in the federal government's obsession to turn the US into the old USSR, companies won't be so willing or so easily bought off to participate in the wholesale destruction of the Constitution.

Dave, I give you and the eight other security researchers credit for taking such a principaled stand -- and especially for taking the time to spell out the reasons behind your decision to boycott RSA. You column adds a lot of needed depth to the discussion about how technology companies and the government should engage when dealing with privacy and security matters that impact public safety. That said, what do you and the other boycotters believe would be the best outcome from your actions?